1# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2# 3# SPDX-License-Identifier: MPL-2.0 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=../.. 13. $SYSTEMTESTTOP/conf.sh 14 15SYSTESTDIR=verify 16 17dumpit () { 18 echo_d "${debug}: dumping ${1}" 19 cat "${1}" | cat_d 20} 21setup () { 22 echo_i "setting up $2 zone: $1" 23 debug="$1" 24 zone="$1" 25 file="$1.$2" 26 n=`expr ${n:-0} + 1` 27} 28 29# A unsigned zone should fail validation. 30setup unsigned bad 31cp unsigned.db unsigned.bad 32 33# A set of nsec zones. 34setup zsk-only.nsec good 35$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 36$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 37 38setup ksk-only.nsec good 39$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 40$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 41 42setup ksk+zsk.nsec good 43$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 44$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 45$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 46 47setup ksk+zsk.nsec.apex-dname good 48zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 49ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 50cp unsigned.db ${file}.tmp 51echo "@ DNAME data" >> ${file}.tmp 52$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n 53 54# A set of nsec3 zones. 55setup zsk-only.nsec3 good 56$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 57$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 58 59setup ksk-only.nsec3 good 60$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 61$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 62 63setup ksk+zsk.nsec3 good 64$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 65$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 66$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 67 68setup ksk+zsk.optout good 69$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 70$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 71$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 72 73setup ksk+zsk.nsec3.apex-dname good 74zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 75ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 76cp unsigned.db ${file}.tmp 77echo "@ DNAME data" >> ${file}.tmp 78$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n 79 80# 81# generate an NSEC record like 82# aba NSEC FOO ... 83# then downcase all the FOO records so the next name in the database 84# becomes foo when the zone is loaded. 85# 86setup nsec-next-name-case-mismatch good 87ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 88zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg2.out$n` || dumpit kg2.out$n 89cat << EOF > ${zone}.tmp 90\$TTL 0 91@ IN SOA foo . ( 1 28800 7200 604800 1800 ) 92@ NS foo 93\$include $ksk.key 94\$include $zsk.key 95FOO AAAA ::1 96FOO A 127.0.0.2 97aba CNAME FOO 98EOF 99$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n 100sed 's/^FOO\./foo\./' < ${file}.tmp > ${file} 101 102# A set of zones with only DNSKEY records. 103setup zsk-only.dnskeyonly bad 104key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n 105cat unsigned.db $key1.key > ${file} 106 107setup ksk-only.dnskeyonly bad 108key1=`$KEYGEN -a rsasha256 -fK ${zone} 2>kg.out` || dumpit kg.out$n 109cat unsigned.db $key1.key > ${file} 110 111setup ksk+zsk.dnskeyonly bad 112key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n 113key2=`$KEYGEN -a rsasha256 -fK ${zone} 2>kg.out` || dumpit kg.out$n 114cat unsigned.db $key1.key $key2.key > ${file} 115 116# A set of zones with expired records 117s="-s -2678400" 118setup zsk-only.nsec.expired bad 119$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 120$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 121 122setup ksk-only.nsec.expired bad 123$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 124$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 125 126setup ksk+zsk.nsec.expired bad 127$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 128$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 129$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 130 131setup zsk-only.nsec3.expired bad 132$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n 133$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 134 135setup ksk-only.nsec3.expired bad 136$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n 137$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 138 139setup ksk+zsk.nsec3.expired bad 140$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n 141$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n 142$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n 143 144# ksk expired 145setup ksk+zsk.nsec.ksk-expired bad 146zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 147ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 148cat unsigned.db $ksk.key $zsk.key > $file 149$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n 150$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 151now=`date -u +%Y%m%d%H%M%S` 152exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` 153[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file 154 155setup ksk+zsk.nsec3.ksk-expired bad 156zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 157ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 158cat unsigned.db $ksk.key $zsk.key > $file 159$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n 160$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 161now=`date -u +%Y%m%d%H%M%S` 162exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` 163[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file 164 165# broken nsec chain 166setup ksk+zsk.nsec.broken-chain bad 167zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 168ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 169cat unsigned.db $ksk.key $zsk.key > $file 170$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 171awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp 172$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n 173 174# bad nsec bitmap 175setup ksk+zsk.nsec.bad-bitmap bad 176zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 177ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 178cat unsigned.db $ksk.key $zsk.key > $file 179$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 180awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp 181$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n 182 183# extra NSEC record out side of zone 184setup ksk+zsk.nsec.out-of-zone-nsec bad 185zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 186ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 187cat unsigned.db $ksk.key $zsk.key > $file 188$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 189echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} 190$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n 191 192# extra NSEC record below bottom of zone 193setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad 194zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 195ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 196cat unsigned.db $ksk.key $zsk.key > $file 197$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 198echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} 199$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n 200# dnssec-signzone signs any node with a NSEC record. 201awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} 202 203# extra NSEC record below DNAME 204setup ksk+zsk.nsec.below-dname-nsec bad 205zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 206ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 207cat unsigned.db $ksk.key $zsk.key > $file 208$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 209echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file} 210$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n 211 212# missing NSEC3 record at empty node 213# extract the hash fields from the empty node's NSEC 3 record then fix up 214# the NSEC3 chain to remove it 215setup ksk+zsk.nsec3.missing-empty bad 216zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 217ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 218cat unsigned.db $ksk.key $zsk.key > $file 219$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 220a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}` 221b=`awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}` 222awk ' 223$4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; } 224$4 == "NSEC3" && NF == 9 { next; } 225{ print; }' ${file} > ${file}.tmp 226$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n 227 228# extra NSEC3 record 229setup ksk+zsk.nsec3.extra-nsec3 bad 230zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n 231ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n 232cat unsigned.db $ksk.key $zsk.key > $file 233$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n 234awk ' 235BEGIN { 236 ZONE="'${zone}'."; 237} 238$4 == "NSEC3" && NF == 9 { 239 $1 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3H." ZONE; 240 $9 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3I"; 241 print; 242}' ${file} > ${file}.tmp 243cat ${file}.tmp >> ${file} 244rm -f ${file}.tmp 245$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n 246